Standard access-list example on Cisco Router

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(system) #2

Good work. I have a question.
I am using Packet Tracer 6.0.1.
I have a network with 2 routers, and 2 PC’s, one on each router. They are on three different networks. 15.x.x.x, 17.x.x.x, and 20.x.x.x. PC1 is on the 15.x.x.x network, and PC2 is on the 17.x.x.x network. They can ping each other before I put in the access-list. (I’m using RIP.)
Then I put in the access list on Router 2

access-list 5 deny 15.0.0.0 0.255.255.255
access-list 5 permit any

interface FastEthernet0/1
ip access-group 5 in

When I ping PC2 from PC1 I get "Reply from 20.1.1.2: Destination host unreachable. "
That’s good.
Now when I ping PC1 from PC2 I get “request time out.”
When I ping PC1 from Router 2 I get no reply. "Success rate is 0 percent (0/5)
So my question is why can’t I ping to PC1? Am I missing a command?

(Rene Molenaar) #3

Hello George,

The problem is that your ping will make it from pc2 to pc1 will make it, but the return traffic is dropped by your deny entry.

Rene

(system) #4

Hi Rene, I am a nornmally a windows network admin, and have been appointed to put security on our routers and swiches. I know this is a stupid question but when doing access-lists permit, Do I just put the serial address or the eithernet or both? We are running point to point and the router I am working on is remote, so I was going to put the serial address from the our core router to the remote.
I only need the remote side to see our core router so would the command be access-lists 1 permit?

(Rene Molenaar) #5

Hi Don,

With the standard access-list you can only create permit or deny statements that match source addresses. If you want a more precise statement you’ll need an extended access-list because it can match on source and destination addresses.

Rene

(Adil M) #6

Rene,

You mentioned “ill show you how to modify the access-list without deleting the whole thing” but I didnt find it in this lesson. Can you please explain ?

(Rene Molenaar) #7

Hi Adil,

To do this you have to use the “ip access-list” command instead of the “access-list” command. Here’s an example:

R1#show access-lists 
Standard IP access list MY_ACL
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
    20 permit 192.168.2.0, wildcard bits 0.0.0.255
    30 permit 192.168.4.0, wildcard bits 0.0.0.255

Let’s say I want to add an entry for 192.168.3.0 in between, I can do it like this:

R1(config)#ip access-list standard MY_ACL
R1(config-std-nacl)#21 permit 192.168.3.0 0.0.0.255

Here it is:

R1#show access-lists 
Standard IP access list MY_ACL
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
    20 permit 192.168.2.0, wildcard bits 0.0.0.255
    21 permit 192.168.3.0, wildcard bits 0.0.0.255
    30 permit 192.168.4.0, wildcard bits 0.0.0.255

And you can delete statements too…let’s get rid of 10 + 20:

R1(config)#ip access-list standard MY_ACL 
R1(config-std-nacl)#no 10
R1(config-std-nacl)#no 20

Now it looks like this:

R1#show access-lists 
Standard IP access list MY_ACL
    21 permit 192.168.3.0, wildcard bits 0.0.0.255
    30 permit 192.168.4.0, wildcard bits 0.0.0.255

Hope this helps!

Rene

(deep t) #8

can you explain how the number that is shown in match is calculated. like the first ping you did, it shows 27 matches, how is this caclulated, did it ping it 27 times etc?

(Rene Molenaar) #9

Hi Deep,

Each match that you see is a single packet that has matched, that’s it. If you see 27 matches then it means that 27 packets have matched this statement.

Rene

(Jonathan O) #10

Hi Rene,

Need your help once again… How can an ACL with a wild card mask of 0.0.254.254 catch odd networks and even hosts?

e.g. Networks: 20.10.1.0-20.10.10.0 with 6 host in each network. The ACL will catch:

20.10.1.0(Net)/20.10.1.2,.4,.6 (Host) - 20.10.3.0(Net)/20.10.3.2,.4,.6(Host); so on so fourth… I know 254= 0000 0001, but I don’t understand how it catches only the even hosts?

Thanks!

Jon

(Rene Molenaar) #11

Hi Jon,

You didn’t specify the network address that you used with the wildcard. Let’s assume it’s 20.10.0.0 0.0.254.254. Let’s look at some examples…

20.10.1.0 = 00010100 000001010 00000001 00000000
20.10.1.1 = 00010100 000001010 00000001 00000001
20.10.1.2 = 00010100 000001010 00000001 00000010
20.10.1.3 = 00010100 000001010 00000001 00000011
20.10.1.4 = 00010100 000001010 00000001 00000100

20.10.2.0 = 00010100 000001010 00000010 00000000
20.10.3.0 = 00010100 000001010 00000011 00000000
20.10.4.0 = 00010100 000001010 00000100 00000000
20.10.4.1 = 00010100 000001010 00000100 00000001
20.10.4.2 = 00010100 000001010 00000100 00000010

And our network and wildcard:

20.10.0.0 = 00010100 000001010 00000000 00000000

0.0.254.254 = 00000000 00000000 11111110 111111110

The first two octets have to match so we are only looking at the 20.10.x.x range. Let’s forget about those two octets.

1.0 = 00000001 00000000
1.1 = 00000001 00000001
1.2 = 00000001 00000010
1.3 = 00000001 00000011
1.4 = 00000001 00000100

2.0 = 00000010 00000000
3.0 = 00000011 00000000
4.0 = 00000100 00000000
4.1 = 00000100 00000001
4.2 = 00000100 00000010

NW = 00000000 000000000
WC = 11111110 111111110

With this network/wildcard combination, the 24th and 32th bit have to be a 0. We don’t care about the other bits, Only 20.10.2.0, 20.10.4.0 and 20.10.4.2 will match this. It matches only the EVEN networks with EVEN host addresses. If you want the odd networks, use a “deny” in your access-list instead of a “permit”.

If you want to get funky you could use another network address in combination with this wildcard. Let’s say we pick 20.10.0.1:

20.10.0.1 = 00010100 000001010 00000000 00000001

0.0.254.254 = 00000000 00000000 11111110 111111110

Let’s look at the last two octects:

1.0 = 00000001 00000000
1.1 = 00000001 00000001
1.2 = 00000001 00000010
1.3 = 00000001 00000011
1.4 = 00000001 00000100

2.0 = 00000010 00000000
3.0 = 00000011 00000000
4.0 = 00000100 00000000
4.1 = 00000100 00000001
4.2 = 00000100 00000010

NW = 00000000 000000001
WC = 11111110 111111110

Now we are saying that the 24th bit has to be a 0 and the 32th bit has to be a 1. In my example that would only be 20.10.4.1. Another match would be 20.10.2.1 or 20.10.4.1. Now you have EVEN networks with ODD host addresses.

Hope this helps, it can be mind boggling. If you are unsure, write down everything in binary and then check for the matching bits. You can verify your work with two routers, some loopback interfaces and a distribute-list for RIP/EIGRP. If you want some more explanations, take a look here:

Rene

(Diana M) #12

In one on your post above, I finally understood the difference between ip access-list and only access-list command. Thanks you so much.

(Ananth Maruti M) #13

Hi rene,

I have a query.

If I give a ping without the source command , why it is not taking the loop back interface as source. Will it always take the physical interface by default?

(Srikanth V) #14

Hello Rene/Andrew/Lazaros,

Could you please tell me if I could apply an access-list inbound and an access-list outbound for the same interface.
Ex:

R(config)#access-list 1 permit 1.1.1.0 0.0.0.255
R(config)#access-list 1 deny   2.2.2.0 0.0.0.255
R(config)#access-list 1 permit any

R(config-if)#ip access-group 1 in
R(config-if)#ip access-group 1 out
(Andrew P) #15

Ananth,
By default, the interface that is “closest” to the destination is the one chosen. This means, that the ip address of the interface that would be used (as dictated by CEF or the routing table) is the IP selected as the source.

(Lazaros Agapides) #16

Hello Srikanth.

Yes, it is possible to apply two access lists to the same interface, as long as one is inbound and the other is outbound. Actually, if you take IPv6 into account you can have up to four access lists on an interface, one per direction per protocol.

I hope this has been helpful!

Laz

1 Like
(aravind c) #17

Hi Rene,

I have a query. In the below access-list 2, why pings from R1 to IP 2.2.2.2 are failing? As per statement, it should only deny traffic from 192.168.12.0, right?

R2#sh ip access-list 2 (deny traffic from n/w 192.168.12.0; permit all other n/w's)
Standard IP access list 2
    10 deny   192.168.12.0, wildcard bits 0.0.0.255 (90 matches)
    20 permit any (30 matches)
R1#pi 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
R2#sh run int fa0/0
Building configuration...

Current configuration : 119 bytes
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 ip access-group 2 in
 duplex auto
 speed auto
end

Please clarify.

Thanks

Aravind

(Rene Molenaar) #18

Hi Aravind,

In your deny statement, you are denying traffic from the entire 192.168.12.0/24 subnet. R1 is probably using 192.168.12.1 as its source address.

Rene

(Hussein Samir) #19

Hi Rene,

How can I filter local generated packet in the router ?

(Lazaros Agapides) #20

Hello Hussein.

When creating and implementing (extended) access lists, you are specifying how to filter traffic based on source and destination IPs, protocols, ports etc. In order to filter traffic that is generated locally by the router, you just have to determine the IP address from which it is being generated (an IP address of a local physical or loopback interface) and filter it accordingly by applying the access list to the appropriate interface(s).

You don’t have to do anything special for locally generated traffic, just make sure you have the appropriate IP address ranges included in your access lists.

I hope this has been helpful!

Laz